Sep 19, 2019
California Amends CCPA, Adopts Data Broker Law
During the final days of the 2019 legislative calendar, California lawmakers passed several bills to amend the California Consumer Privacy Act (CCPA). If signed into law by [...]
The State of Washington has officially joined the national conversation on data privacy regulation. On January 17, 2019, the Washington Senate proposed SB 5376, the Washington Privacy Act (WPA), which would impose responsibilities on companies to protect the privacy of “personal data.” The bill’s substantive provisions closely mirror those found in the European Union’s General Data Protection Regulation (GDPR), making the potential legislation one of the most privacy protective in the United States.
Applicability of the WPA
The WPA limits the jurisdictional scope of the law to entities that conduct business in the State of Washington or produce products or services that are intentionally targeted to residents of Washington, which: (1) control or process data of 100,000 or more consumers; or (2) derive over 50% of their gross revenue from the sale of personal information and process or control personal information of 25,000 consumers or more.
The WPA could consequentially have a far-reaching impact not only on companies that are physically present or incorporated within the state of Washington, but also companies outside the state that intentionally solicit the state’s residents for business.
Consumer Rights Under the WPA
Section 6 of the WPA highlights various rights the WPA grants Washington consumers. These rights include but are not limited to the following:
After receipt of a consumer request, the controller has 30 days to fulfill that request. The 30-day deadline may be extended by 60 days, granting the controller a total of 90 days to respond. However, the controller must inform the consumer of any extension 30 days after receiving the request. If a consumer makes the request by electronic means, the controller must provide the information in electronic means.
Enhanced Privacy Notices
The WPA requires controllers to be transparent and accountable for their processing of personal data by updating their privacy notices in order for them to reflect:
Furthermore, if a controller sells personal data to data brokers for marketing purposes, including targeted marketing and profiling, it must disclose such processing as well as the manner in which a consumer may exercise the right to object to the sale of personal data.
Liability and Enforcement
The WPA clearly indicates that it does not serve as the basis for a private right of action. Instead, a violation of the WPA is treated as an unfair or deceptive act in trade or commerce. Such a violation is to be enforced by the attorney general’s office, which may bring an action in the name of the state or on behalf of persons residing in the state. Controllers and/or processors must cure WPA violations within 30 days of receiving notice of non-compliance from the attorney general. Violators are subject to injunctions and civil penalties of $2,500 for each violation or $7,000 for each intentional violation.
Impact of the WPA
With the California Consumer Privacy Act (CCPA) set to take effect on January 1, 2020, and the WPA to be voted on soon by the Washington Senate, states are taking matters into their own hands to pursue comprehensive privacy legislation. Congress is concurrently considering a federal privacy framework. Senator Marco Rubio recently introduced the American Data Dissemination Act (ADD), a federal data privacy bill that would preempt all state laws aimed at policing data privacy. The bill is yet to be voted on. In January of 2019, Senators Klobuchar (D-MN) and Kennedy (R-LA) reintroduced the Social Media Privacy and Consumer Rights Act. The bill is aimed at giving consumers more protections on social media platforms such as Facebook or Instagram. Among other things, the bill gives consumers the right to opt out of data collection by third parties on social media platforms.
Whether the U.S. ultimately regulates data privacy at the federal or state level, or both, it’s abundantly clear that there is widespread support for privacy legislation. The real question is how broadly applicable and onerous these laws will be.
* Ali Najaf contributed to this post.